Best IT Documents.com Blog


Sample Visio – Oracle HCM Internals

Oracle HCM Internals

www.bestitdocuments.com

Comments Off on Sample Visio – Oracle HCM Internals

Sample Visio – High Level logrhythm Architecture

High Level Logrythim Architecture

www.bestitdocuments.com

 

Comments Off on Sample Visio – High Level logrhythm Architecture

Sample Visio – High Level Archer Create Workflow

High Level Archer Create Workflow

www.bestitdocuments.com

Comments Off on Sample Visio – High Level Archer Create Workflow

Sample Visio – Basic flow for establishing OS Hardening Builds

Comments Off on Sample Visio – Basic flow for establishing OS Hardening Builds

Sample Visio – Autosys Passive Configuration

Autosys Passive Configuration

www.bestitdocuments.com

Comments Off on Sample Visio – Autosys Passive Configuration

Logrythm Architecture and Design 7.x Notes

ü  Dashboard

ü  Searching

ü  Review of alarms

 

ü  Qualify – to investigate (establish root cause)

ü  Then mitigate

 

ü  Html5 coded

 

ü  Risk based alarms

ü  Case workflow

 

ü  Realtime data 

ü  DoubleClick drill down

ü  Underlying log data.

 

Logviewer to analyst grid – access

Low footprint on the browser (Client)

 

Activities represented

Pivot sort of data / datasets

 

Widgets to customize dashboard 

Edit widgets, more advanced filters

 

Threat activity map

Drill down create a task on another task to free up resources

 

Flow data – Network monitor

Deep packet analytics (rule protocol mismatch) 

Packet captures – Session based

 

Case management

Tagging for cases (searchable and filter with dashboards)

Create new tags

 

Log contains

Search contextualized content for

Finance

SSN

 

Search contains:   (filter on classified actions (750 devices application and systems)

Pre-created processing rules 

Structure and unstructured searches

 

End point monitoring

File integrity monitoring

Watchlist users 

o   Account takeovers

·         Precision searches

·         Alarms page (tab)

·         Fired alarms and risk based fired

·         Entity logical segmentation of the network

·         Other filtering and sorting by risk by date

o   Smart responses based on activity (actions – multiple responses)

·         Disable accounts or quarantine devices

·         Corroborated alarms (supporting activities that are, 3 or more behavioral anomalies from the user)

·         Associate logs and alarms into cases

·          

o   Drill down into data sets associated with the activities

·         Watchlist or searches (criteria, source with host) 

Single host or distributed host for performance.

 

AI Engine

Desktop console

 

System (Windows, Unix, remotely (no agent directly installed) Local and remote log collections

Non Server log server performance file integrity

Comments Off on Logrythm Architecture and Design 7.x Notes

PCI, SOX, GLBA and Security Resources

Posted in Application (380),Compliances (1300),Data Center - SOC - NOC,Security (1500) by Guest on the December 3rd, 2018

IT Security / Technology Risk / Control Frameworks

SCF: Simplified Control Framework

http://www.controlframework.com/

 

COBIT 5

http://www.isaca.org/COBIT/Pages/default.aspx

 

COSO:

http://www.coso.org/

 

Risk and Control Frameworks:

http://www.solutionary.com/index/compliance/security-frameworks.php

 

Assessment Areas – PCI, SOX, NIST

  • Expert background in Technical Controls Assessment, Compliance, Risk, and Security control requirements.
  • SOX: SSAE 16 SOC 1 / ISAE 3402, SOC 2, SOC 3 , (Type 2),  (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level
  • PCI DSS / PA-DSS– PCI: CDE, Access, Vendors, Net. Segmentation, ROC/AOC, submission, Management recommendations and Roadmap to compliance.  QSA / PA – QSA, ASV background.

 

Preparatory Research

  • Mapping Application Security to Controls: SDLC Assessments (very good)

https://www.isaca.org/Education/Online-Learning/Documents/Security-Innovation-11Jan12.pdf

  • A Compliance Primer for IT Professionals (Great overview – little dated but very good overview across controls)

http://www.sans.org/reading_room/whitepapers/compliance/compliance-primer-professionals_33538

http://www.corporatecomplianceinsights.com/wp-content/uploads/gravity_forms/14-f3c6012ed7b64af70e209c6db8553b08/2012/02/Aligning+Application+Security+and+Compliance1.pdf

  • SANS – MOACL – Mother of All Control Lists: (dated info but good)

http://www.sans.org/reading_room/whitepapers/compliance/meeting-compliance-efforts-mother-control-lists-moacl_33299

 

Technology Risk / IT Controls Integration Terminology

Technology Risk

Likelihood, Impact, and SDLC Project Mapping, System Characterization, Controls Benchmark, gap analysis, Risk Remediation & Prioritization, Corrective Action Plan (CAP), IT Risk / IT Controls Remediation Roadmap, Risk Register, Risk Framework, Risk Scorecard, KRI, Loss Events. System Characterization, Threat Identification, Vulnerability Identification, Control Analysis, Likelihood Determination, Impact Analysis, Risk Determination, Controls Recommendations, Results Documentation.

 

IT Controls

Security, Documentation, Changes to Documentation, Implementation, Life Expectancy of a Version and a Version Upgrade, Hierarchy of Access – who can inquire versus who can make changes, Approvals, Sign-offs, Maintenance, Back-ups, Disaster Planning and Back-up, Change management, Incident Management, etc.

 

PCI Terminology

PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA), volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

 

IT Governance / Regulations – Next PAGES – HIPAA, PCI, SOX, NIST

Omnibus Final Rule Summary

http://www.ama-assn.org/resources/doc/washington/HIPAA-omnibus-final-rule-summary.pdf

 

PCI / DSS

PCI DSS:   PCI DSS: v3.0, changes from 2.o to 3.0, terms, ROC Reporting instructions, prioritized approach tool, FAQ’s, SAQ’s

PCI / DSS 3.1: https://www.pcisecuritystandards.org/security_standards/documents.php

 

TERMINOLOGY:   PCI DSS 3.0, Qualified Security Assessor (QSA) who creates a Report on Compliance (ROC), or by a Self-Assessment Questionnaire (SAQ), (Internal Security Assessor(ISA),dependent on volume of card-holder transactions – Levels 1-4 Merchants,  Attestation of Compliance, ASV (Approved Scan Vendor),  12 Domains / 6 Control Objectives.

PCI/DSS 2.0:  https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

(compensating controls p. 64+)

 

PCI / DSS Risk Assessment Guidelines: https://www.pcisecuritystandards.org/documents/PCI_DSS_v2_Risk_Assmt_Guidelines.pdf

 

PCI DSS – QSA – ROC:   PCI – Data Security Std – Validation Requirements

PCI-DSS: (SAQ/Attestation guide): http://www.elementps.com/merchants/pci-dss/compliance-level/

PCI / DSS:     https://www.pcisecuritystandards.org/security_standards

(ISO 27005, NIST SP 800-XX/30, Octave)

 

HIPAA and PCI Compliance ARE NOT INTERCHANGABLE (Data Center Knowledge.com)

SOX:

http://www.sox-online.com/act_section_404.html

SOX:SANS: Overview:        An Overview of Sarbanes-Oxley for the Information Security Professional

SSAE 16  / ISAE 3402 / SOC 1-3: Service Organization Controls Report:  https://www.ssae-16.com/

IACPA – SOC – Service Organization Controls:

SOC 1 / SOC 2, SOC3 (Type 2): http://www.ssae16.org/white-papers/ssae-16-soc-1-2-3.html

 

Understanding SaaS Compliance – SSAE 16 / SOC 1 / SOC 2: https://en.wikipedia.org/wiki/Service_Organization_Controls

 

Terminology: (Security, Availability, Processing Integrity, Confidentiality, or Privacy) – (Policies, Communications, Procedures, Monitoring) Detailed vs High-Level

GLBA:

http://searchcio.techtarget.com/definition/Gramm-Leach-Bliley-Act

 

ISO:

ISO/27001 / 2:

http://www.27000.org/iso-27001.htm

http://www.27000.org/iso-27002.htm

 

ISO/27005:

http://www.27000.org/iso-27005.htm

 

NIST:

NIST SP 800 Series

NIST SP 800-53 (R4):

http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53-rev3-final_updated-errata_05-01-2010.pdf

NIST RMF RISK MANAGEMENT FRAMEWORK (800-37):

NIST SP 800-64: Security in the SDLC: http://csrc.nist.gov/publications/nistpubs/800-64-Rev2/SP800-64-Revision2.pdf

NIST SP 800-30: http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

IT Controls Checklists:  http://www.checklist20.com/

 

Technology Risk

5 Biggest IT risks explained (very good): http://www.youtube.com/watch?v=5UXhJyTunhM

(Hacking/ social engineering, Fraud, Disasters, Change / Disruptive, ROI)

 

Risk Register: 4 Steps (very good):  http://www.youtube.com/watch?v=mNQzRdWy9Ow

(Risk Frameworks, Categories, Strategic Objectives/Map / Balanced Scorecards / Weightings / Likelihood / Impacts / Risk Score)

Why most Risk Assessments are Wrong (TR): http://www.youtube.com/watch?v=PA9rqNBZWIw&feature=endscreen&NR=1

 

Risk Assessment (TR): http://www.youtube.com/watch?v=eD2mQ6ooYO4

Archer: Risk Management: http://www.youtube.com/watch?v=6KaapSEkOlQ

 

IT Risk Management 2.0: http://www.youtube.com/watch?v=VkmIOJYA3hM

Strategic Risk Management Dashboards: http://www.otusanalytics.com/wp/?p=422

Risk, Event Management& Importance of Excellence (Great ): http://www.youtube.com/watch?v=t8Mr23rLps0

 

Technology Risk Radar: http://www.kpmg.co.uk/email/11Nov13/OM006033A/index.html#46

Archer: eGRC:  http://www.youtube.com/watch?v=SMkj8twTM6c

Archer Smart Suite Framework: http://www.infosecurityproductsguide.com/technology/2007/Archer_Compliance.html

Technology Risk Assessments

RISK Assessments:   https://www.smart-ra.com/News/Uploads/100511122641_ISACA_CPE%20Meet_May%202011_1.pdf

Risk Assessment Report Template – example: Risk Assessment Report Template (CDC – OCIO)

Information Risk Assessments: Understanding the process:

OCTAVE – Method – Intro: http://www.cert.org/octave/methodintro.html

 

IT Information Security Risk Assessments Tools / Templates / Audit Guides:

RISK Assessment Toolkit: CA – CIO.gov (good info):  http://www.cio.ca.gov/OIS/government/risk/toolkit.asp

 

Agile Risk Management in 5 simple steps: http://michaellant.com/2010/06/04/five-simple-steps-to-agile-risk-management

Burndown Chart: http://www.mountaingoatsoftware.com/blog/managing-risk-on-agile-projects-with-the-risk-burndown-chart

 

Some of the independent resources available include:

·         Center for Internet Security (CIS):  http://benchmarks.cisecurity.org/

·         National Institute of Standards and Technology (NIST):  http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf

·         National Security Agency (NSA):  https://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml

Comments Off on PCI, SOX, GLBA and Security Resources